Deception / 10.27.2021

Attacks on Healthcare Organizations: Was the Writing on the Wall?

By Guy Waizel, Chief Operating Officer, TrapX Security

The big difference between the healthcare sector and other industries is that its value, and what is affected when it is compromised, are people’s lives and not just money.

Earlier in June 2021, we discussed why ransomware is a national security crisis and what to do about it. In this blog, I explain why and How TrapX DeceptionGrid can assist healthcare organizations in preparing themselves to defend against the most sophisticated cyber attacks and ransomware.

In late 2014, we conducted a PoC at one of the largest private healthcare institutions in Israel. We deployed DeceptionGrid at a small-scale coverage area of 15 virtual networks, and immediately detected five suspicious endpoints inside the organization.

Of these endpoints, we detected that the system administrator endpoint was infected with a downloader trojan. Another suspicious endpoint belonging to the head of finance was communicating with a botnet command & control server. Another endpoint was detected as infected with a known printer spooler malware; and two blood gas analyzers (medical equipment) were infected with malwares that were trying to spread the infection over the network to our emulation trap, which detected the infection.

All of this caught the IT-Security department by surprise. I recommended immediately isolating the endpoints d medical devices. Unfortunately, due to a shortage of resources and additional issues the medical devices were kept on the network and used 24*7.

A week later the system administrator called me urgently during the night to update me that ransomware had hit, at the direct order of the CISO. The exact same endpoint of the head of finance, that had initially been detected as suspicious by DeceptionGrid, had been infected. All of its local drives, including critical financial data, were encrypted. Instantly the encrypted endpoint was isolated and all source IP addresses, detected by DeceptionGrid, reviewed to ensure clean VLANs. Out of hundred endpoints on these VLANs specific points of threat could be identified and cleaned deliberately during the time span of a few weeks.

DeceptionGrid became the CISO’s eyes on the hospitals’  network and a  day to day tool for intelligence. There was a moment that I said to myself: it looks like the writing was on the wall. By living through this real-life example, I learned how essential short time to value and powerful intelligence provided by our system is. Especially in the healthcare sector where resources are short and decision making is not just about money but about saving the lives of people.

Since 2014, ransomware has become much more sophisticated and undergone significant evolution. Ransomware no longer attacks just one or two endpoints; in the context of a targeted attack, it encrypts whole virtual networks in minutes. Not just one shared drive is encrypted; it encrypts all shared network drives simultaneously. Not just servers with business data; also, backup servers and crucial IT infrastructure. Not just Windows endpoints, but even unique Linux versions, SAN related with Hypervisors. And, not only file encryption but also data manipulation and stealing files for extortion.

TrapX works day and night to stay one step ahead of cybercriminals and to continuously improve our detection technology, emulation traps and cyber capabilities. Over the years, TrapX has detected malware and ransomware in global healthcare organizations and enabled isolation as early as possible. Risks at healthcare organizations in various countries have been observed and research conducted. Download the full report here.

Pictures Archiving and Communication Systems (PACS) are often very vulnerable to attacks. With these systems, patient images are displayed for doctors and radiologists, using robust online and offline storage for displaying data. Attacking PACS or manipulating their data generates considerable risk. It can harm the service level for patients, and sensitive patient data can be exposed. In addition, RIS\HIS systems store sensitive data about patients. Other medical devices such as MRI, CT, other modalities, fusion pumps, scanners, ventilators, and blood gas analyzers are also desirable targets for attackers.

Over the last two years, cybercriminals have leveraged the COVID pandemic as budgets at hospitals were diverted to fight the pandemic, causing hospitals focus their efforts on improving patient service and leaving a shortage of technical and personnel resources.

According to a Sophos report, many healthcare organizations do pay the ransom eventually. The report states:

  • 65% of those hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack.
  • 34% of those whose data was encrypted paid the ransom to get their data back in the most significant ransomware attack.
  • 69% of data was restored after paying the ransom.

Recently, more and more healthcare organizations have decided to increase their security budgets due to the increase of attacks on this sector.

Some journalists and cyber researchers are already saying that “the writing was on the wall” for some of these attacks, since the victims didn’t patch their endpoints on time and the budget was not allocated for cyber security needs. On the other hand, the vast increase in new vulnerabilities is also creating a considerable challenge even for organizations that do everything by the book and still get hit on a weekend or a national holiday by surprise.

TrapX customers do not need to rely just on patching their devices and endpoints; as soon as they add emulation traps, they reduce their organization’s risk and dwell time while isolating attackers.

TrapX healthcare customers can create emulation traps of any medical device in their network, including not only standard emulation traps such as PACS, MRI, and CT, but also customized traps emulating blood gas analyzers, RIS\HIS systems, and more. TrapX DeceptionGrid supports the DICOM service and allows customizing high-interaction traps to include medical data and customizing the complete login UI or the database of medical devices to deceive and detect unauthorized access.

HIPAA and the GDPR forbid data collection from medical devices; because of this, effective healthcare threat detection and response technology must be passive (no scans) and touch-free (no agents). Deception technology perfectly meets these challenges by providing a non-intrusive solution. 


With the increase of attacks on hospitals, customers should seek a quickly-deployable solution that can immediately reduce risk in their organizations. An agentless solution as TrapX DeceptionGrid can provide early detection of breaches for IoT, medical devices, and mission-critical systems that operate 24×7 and save people’s lives.

Cybercriminals do not rest for a minute. They have a 65% success rate of encrypting files in healthcare organizations, and 34% of those organizations paid the ransom. The combination of the urgent need to receive health care services and many organizations that do pay the ransom eventually creates a golden opportunity for cybercriminals.

With so many new vulnerabilities discovered every day, it becomes impossible to patch and update any OS in the hospital fast enough, especially 24×7 mission-critical medical devices.

It is much easier to create emulation traps with exposed vulnerabilities that can reduce risk, provide the organization with early breach detection and enable immediate isolation.

“Writing on the wall” messages won’t help here. We need to assist healthcare organizations in taking proactive actions by defining an active defense strategy, reducing risk and dwell time upon breach, ensuring the high-level healthcare services that all of us deserve, and making the world more secure. 

About TrapX Security

TrapX has created a new generation of Deception technology that provides real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, fingerprint rapidly and disable new Zero-Day attacks and APTs in real-time.

Learn more about our unique approach to Deception

Discover why more than 300 global customers call TrapX "simple, powerful, and affordable."